This follow-up to my post about SSL and IP addresses covers using SSL with multiple ports on the same IP address. We often use alternate port numbers to provide test versions of a host or application, since just changing the port number keeps the ServerName the same.
It’s very straightforward to set up Apache with an alternate port number by telling Apache to listen on the alternate port. If you’re going to use port 444, httpd.conf should contain:
Listen 444
after which you can duplicate your SSL <VirtualHost> block with one which contains :444 instead of :443. You should also make any necessary changes within the block to make the two virtual hosts act as you desire; changing DocumentRoot is a common one. If you are using multiple virtual servers on the alternate port (and the same IP address), you’ll need to use NameVirtualHost hostname:444 to let Apache know, but at least one of the virtual hosts will receive an SSL certificate error.
Using multiple ports is one way to use different SSL certificates on the same IP address. This works because different certs will be bound to the two IP/port combinations. The URLs would look like:
https://www.a.com/
https://www.b.com:444/
If you connect to www.a.com on port 444 or www.b.com on the default port 443 you will receive the SSL cert mismatch dialog box.
Using alternate port numbers, you need to be more careful with how URLs are generated. Normally you only need to change the method field (http to https) to switch to SSL, but those methods imply the default ports (80 for http, 443 for https). You need to be sure the URL explicitly specifies any alternate port number in order to reach the correct virtual server. It’s often easier to just make all connections go over SSL when using an alternate port number.
As mentioned, we normally only use alternate ports for test versions of an application, since the added port number complicates the URLs. When possible, we prefer to slightly change the URI (the part after the hostname) to point to the test version of the application, so the test version of https://application.washington.edu/appname/ could be https://application.washington.edu/appnametest/.
We use multiple IP addresses if we need more than one SSL certificate, again to avoid having the port number in the URL.
Update 1/20/2011: Prices for certificates with Subject Alternate Names (documentation for OpenSSL) are much more competitive now, so we have begun to use those instead of individual certs. This allows us to use more than one name on an individual IP address.
July 14th, 2011 at 11:25am
This is a great post on SSL ports. I have had lots of hangups getting with our server. Thanks